Definitely check that. Not like random credentials. Having your entire user base pass their AD credentials over the Internet in clear text is pretty bad. Most of them probably don't realize that the site is not secure.